Dynamics 365 Business Central: Partner access control to SaaS tenants.

Dynamics 365 Business Central version 25 introduces a new feature in the environment’s Admin Center panel: Partner Access.

By default, all Dynamics 365 Business Central environments are set up to allow all partner access (very partner with a delegated admin relationship with the customer can access every environment in the tenant).

With this new feature, customer’s internal administrators can use the Partner access settings in the Business Central Admin Center to enable or disable delegated administrators from administering and accessing each environment, or to only allow delegated administrators from specific partner Entra tenants to administer and access a specific environment.

When accessing the Partner Access feature, you have two options:

• Allow partner access: When this setting is set to on, delegated administrators with a supported Entra role in a granular delegated administrative privileges (GDAP) relationship with the customer, and foreign multitenant applications with admin consent to Business Central APIs, can access and administer the selected Business Central environment. If the setting is set to off, delegated administrators or multitenant apps that aren’t homed in the customer tenant can’t administer or access the environment.
• Allow access to all partner tenants: if the setting is set to on, all partners with tenant-level access (GDAP relationship in place) can access the selected environment. If the setting is set to off, a list of partners with current tenant-level access (GDAP relationship) appears. In this list you can allow or deny access to the environment for a specific partner. Please note that you can allow up to 10 partner tenants per environment.

Here is an example of multiple partner’s selections for a given environment:

Please note that this new setting can only be managed by customer’s internal global administrators.

What should you do?

As a personal recommendation, if you have multiple partners with a GDAP relationship in place with the customer’s tenant, it’s now a best practice to disable the possibility that all partners can access the Business Central environment. You should now set up the environment not to allow access to all partner tenants and then explicitly grant to the partners that you really need the access to the environment. So, the setting should always be the following:

There are also two important hidden aspects to keep in mind related to this feature:

• The Partner access settings for an environment are preserved if tenant-level access is removed (for example, when a GDAP relationship has ended or application consent to the Business Central administration center API has been revoked). If the tenant-level access is re-enabled again, then the partner automatically gets access to the environment again. To avoid this situation, you should change the specific Partner access setting on the environment after the tenant-level access is removed (like in the previous image).
• The Partner access settings specified for an environment are preserved during environment lifecycle operations (copy, restore, transfer operations).

I personally suggest to start using this new feature and change the default behaviour on your environments.

Original Post https://demiliani.com/2024/12/02/dynamics-365-business-central-partner-access-control-to-saas-tenants/